I understand that I am potentially starting a browser war, but so be it. Firefox, is a better (safer?) browser, and one of the main reasons that I say that is noscript http://noscript.net . Noscript is a Firefox extension, that allows the user to decide which sites can and cannot run javascript and java. It is amazing how many websites want to load code on a page you are looking at, without you even realizing it.

I personally feel that the threat of cross-site scripting is a major issue and we need to do our due diligence as infosec representatives and take the extra steps to thwart malware. I empathize that it can be annoying to have to temporarily allow a site to run javascript, but if you blindly trust a site and they become compromised you may or may not now be infected. I'll put up with the hassle, noscript is enabled and shields are up!

P.S.

Make certain you enable javascript temporarily when posting on eh.net or you will have to may have to re-type your post

I used to use NoScript on a regular basis but I have to say that since almost every site I visit requires JavaScript in order for simple things like links to work I've given up with it. A lot of work for perhaps little benefit.

Be careful though, blocking JavaScript does not block XSS vulnerabilities. You can inject plain HTML or any other code into an XSS-vulnerable page. For example you could inject a HTML form to steal login credentials and not use JavaScript at all.

I have used FF since it first came out, and don't know where I would be without it. As an aside I have been reading a little about 3.0 and there is some grumbling from hardcore beta testers saying that the mozilla folks have bloated the browser with .ext's rather than allowing each user to pick and choose which addons fits his/her individual needs. Hopefully (if that is the case) they will run a leaner light version, that is just FF *fingers crossed*

jimbob,

Thank you for pointing out that noscript does not defend against xss, I re-read my post and it seemed a little confusing. I was trying to say that xss is so dangerous that we should do whatever (even if inconvenient) it takes to keep things at bay, when we can (like java and javascript).

[quote author=RichM link=topic=1390.msg5046#msg5046 Thank you for pointing out that noscript does not defend against xss, I re-read my post and it seemed a little confusing. I was trying to say that xss is so dangerous that we should do whatever (even if inconvenient) it takes to keep things at bay, when we can (like java and javascript). [/quote]

Ah, gotcha. JavaScript is used to deliver all manner of browser nasties so blocking it block malicious injected code. Like I said before, NoScript is a great plugin that I've got too lazy to use. Bad me.